Jump to content


Photo
- - - - -

Can't get rid of viruses


  • This topic is locked This topic is locked
76 replies to this topic

#61 fishbone

fishbone

    Newbie

  • Members
  • Pip
  • 1 posts

Posted 26 January 2006 - 01:56 AM

LOG REMOVED
Please start your own post

#62 indigenous1

indigenous1

    Journeyman

  • Members
  • PipPip
  • 45 posts

Posted 26 January 2006 - 05:08 AM

i ran cleanup twice with your instructions but the virus is still present in that same folder. i also deleted my aboutbuster and redownloaded it. i ran it in safe mode and got the same "overflow" error. i also ran ewido and ad aware in safe mode. ewido came up woth the same 29 files it always finds. ad aware came up with nothing. it's only when i'm in normal mode that the avast virus found screen comes up when running ad aware. here is a fresh hjt log


Logfile of HijackThis v1.99.1
Scan saved at 5:04:24 AM, on 1/26/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\AVAST4\ashDisp.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CMPDPSRV.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\hjt\hijackthis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [EPSON Stylus CX5200] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P19 "EPSON Stylus CX5200" /O6 "USB001" /M "Stylus CX5200"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\AVAST4\ashDisp.exe
O4 - HKLM\..\Run: [CMPDPSRV] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CMPDPSRV.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec....trl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec....trl/tgctlsr.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec....rl/LSSupCtl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1136010394515
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....rl/SymAData.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} - http://photos.yahoo....plorer1_9us.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

#63 guestolo

guestolo

    Site Donator

  • Admin
  • PipPipPipPipPipPipPip
  • 16,247 posts

Posted 26 January 2006 - 11:01 PM

Please make sure the realtime protections of SpySweeper are disabled

That file is in your temp folder
That error your getting with About:Buster is being looked into by the developer of the fix
No solution yet I don't believe
Can you do the following please

Download and UNZIP to your desktop from the bottom of this reply box
CWSserviceremove.zip, so you now have cwsserviceremove.reg extracted

Set Windows To Show Hidden Files and Folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.

Reboot back to safe mode

Manually navigate too, and delete the WHOLE contents of the temp folders (Including sub-folders)
Do not delete the temp directories themselves

# C:\Windows\Temp\
# C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files\
# C:\Documents and Settings\<Your Profile>\Local Settings\Temp\
# C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files\
# C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp\

Run CleanUp! again in safe mode

Double click on cwsserviceremove.reg and allow to add/merge to the registry

Open RegSeeker.exe
Click on "Clean the registry" in the left menu
Hit OK
Let it finish scanning and then ensure Backup before deletion is checked

Choose "Select all"
Right click and Delete all selected

Open Hijackthis>>Open Misc tools>>Open ADS Spy...
Click on SCAN, when it's done save the log to your desktop

Reboot back to Normal mode

Post the log from ADS Spy please

Do you want to post your own logs from FRST?
Follow the instructions posted Click Here


#64 indigenous1

indigenous1

    Journeyman

  • Members
  • PipPip
  • 45 posts

Posted 27 January 2006 - 03:57 AM

Deleted all files in temp and temporary internet folders although 2 would not delete b/c the files were in use.ran cleanup and merged cwsserviceremove.reg. also ran regseeker. here is the ADS spy log. just ran ad aware again and the virus is still there.

C:\WINDOWS\_detmp.2 : aagjuq (11736 bytes)
C:\WINDOWS\_detmp.2 : aaqmhk (0 bytes)
C:\WINDOWS\_detmp.2 : abclxy (0 bytes)
C:\WINDOWS\_detmp.2 : abfcuh (0 bytes)
C:\WINDOWS\_detmp.2 : accrny (0 bytes)
C:\WINDOWS\_detmp.2 : acrarp (0 bytes)
C:\WINDOWS\_detmp.2 : aeayez (11736 bytes)
C:\WINDOWS\_detmp.2 : aefkgw (0 bytes)
C:\WINDOWS\_detmp.2 : aeinmg (0 bytes)
C:\WINDOWS\_detmp.2 : aeutkn (0 bytes)
C:\WINDOWS\_detmp.2 : afczin (0 bytes)
C:\WINDOWS\_detmp.2 : afrime (0 bytes)
C:\WINDOWS\_detmp.2 : agaube (0 bytes)
C:\WINDOWS\_detmp.2 : agauzv (0 bytes)
C:\WINDOWS\_detmp.2 : ahjsin (0 bytes)
C:\WINDOWS\_detmp.2 : ahuhuc (0 bytes)
C:\WINDOWS\_detmp.2 : ahvjfw (0 bytes)
C:\WINDOWS\_detmp.2 : ahxkbl (0 bytes)
C:\WINDOWS\_detmp.2 : aizolz (11152 bytes)
C:\WINDOWS\_detmp.2 : ajckmh (0 bytes)
C:\WINDOWS\_detmp.2 : ajfvsr (0 bytes)
C:\WINDOWS\_detmp.2 : ajqtqy (0 bytes)
C:\WINDOWS\_detmp.2 : ajtwwi (0 bytes)
C:\WINDOWS\_detmp.2 : akejwf (0 bytes)
C:\WINDOWS\_detmp.2 : akpatw (0 bytes)
C:\WINDOWS\_detmp.2 : amcszw (0 bytes)
C:\WINDOWS\_detmp.2 : amfvfg (0 bytes)
C:\WINDOWS\_detmp.2 : amrbcn (0 bytes)
C:\WINDOWS\_detmp.2 : amuejx (0 bytes)
C:\WINDOWS\_detmp.2 : anoqee (0 bytes)
C:\WINDOWS\_detmp.2 : anouyu (11152 bytes)
C:\WINDOWS\_detmp.2 : aokbck (4870 bytes)
C:\WINDOWS\_detmp.2 : aomlvm (0 bytes)
C:\WINDOWS\_detmp.2 : aoxcrv (0 bytes)
C:\WINDOWS\_detmp.2 : apbnme (0 bytes)
C:\WINDOWS\_detmp.2 : apgyrt (0 bytes)
C:\WINDOWS\_detmp.2 : apjjxd (0 bytes)
C:\WINDOWS\_detmp.2 : apuatm (0 bytes)
C:\WINDOWS\_detmp.2 : apuszm (0 bytes)
C:\WINDOWS\_detmp.2 : apzbct (0 bytes)
C:\WINDOWS\_detmp.2 : arjrna (9237 bytes)
C:\WINDOWS\_detmp.2 : arncqn (0 bytes)
C:\WINDOWS\_detmp.2 : asrmdh (0 bytes)
C:\WINDOWS\_detmp.2 : atehuh (11736 bytes)
C:\WINDOWS\_detmp.2 : atqubp (0 bytes)
C:\WINDOWS\_detmp.2 : aulnfd (11736 bytes)
C:\WINDOWS\_detmp.2 : aunjvf (0 bytes)
C:\WINDOWS\_detmp.2 : aurjcz (0 bytes)
C:\WINDOWS\_detmp.2 : auxoly (9237 bytes)
C:\WINDOWS\_detmp.2 : auzpan (0 bytes)
C:\WINDOWS\_detmp.2 : avqlmc (11152 bytes)
C:\WINDOWS\_detmp.2 : awiuoe (0 bytes)
C:\WINDOWS\_detmp.2 : awxvqx (0 bytes)
C:\WINDOWS\_detmp.2 : axcojl (0 bytes)
C:\WINDOWS\_detmp.2 : axneiv (0 bytes)
C:\WINDOWS\_detmp.2 : axrhzm (0 bytes)
C:\WINDOWS\_detmp.2 : axrpnc (0 bytes)
C:\WINDOWS\_detmp.2 : ayoric (11736 bytes)
C:\WINDOWS\_detmp.2 : azqhoj (4870 bytes)
C:\WINDOWS\_detmp.2 : azybmw (0 bytes)
C:\WINDOWS\_detmp.2 : babdet (0 bytes)
C:\WINDOWS\_detmp.2 : baovaa (0 bytes)
C:\WINDOWS\_detmp.2 : bavxst (11736 bytes)
C:\WINDOWS\_detmp.2 : bazmxj (0 bytes)
C:\WINDOWS\_detmp.2 : bblsur (0 bytes)
C:\WINDOWS\_detmp.2 : bbvxvz (11152 bytes)
C:\WINDOWS\_detmp.2 : bcozvz (0 bytes)
C:\WINDOWS\_detmp.2 : bczrri (0 bytes)
C:\WINDOWS\_detmp.2 : bdgdnp (0 bytes)
C:\WINDOWS\_detmp.2 : bdsujy (0 bytes)
C:\WINDOWS\_detmp.2 : bdytsd (11152 bytes)
C:\WINDOWS\_detmp.2 : begeru (0 bytes)
C:\WINDOWS\_detmp.4 : aoauxa (0 bytes)
C:\WINDOWS\_detmp.4 : bfmtqz (0 bytes)
C:\WINDOWS\_detmp.4 : bznuba (0 bytes)
C:\WINDOWS\_detmp.4 : dsdffe (0 bytes)
C:\WINDOWS\_detmp.4 : dvwnrt (0 bytes)
C:\WINDOWS\_detmp.4 : dwfinc (0 bytes)
C:\WINDOWS\_detmp.4 : egpigq (0 bytes)
C:\WINDOWS\_detmp.4 : erhjsg (0 bytes)
C:\WINDOWS\_detmp.4 : ewmjqj (0 bytes)
C:\WINDOWS\_detmp.4 : faluce (0 bytes)
C:\WINDOWS\_detmp.4 : frrrkv (0 bytes)
C:\WINDOWS\_detmp.4 : ftrzxl (0 bytes)
C:\WINDOWS\_detmp.4 : gpomuh (0 bytes)
C:\WINDOWS\_detmp.4 : hblgxn (0 bytes)
C:\WINDOWS\_detmp.4 : igephh (0 bytes)
C:\WINDOWS\_detmp.4 : ilnwkr (0 bytes)
C:\WINDOWS\_detmp.4 : iyihoh (0 bytes)
C:\WINDOWS\_detmp.4 : jgvphx (0 bytes)
C:\WINDOWS\_detmp.4 : jhphtu (0 bytes)
C:\WINDOWS\_detmp.4 : jjuwxc (0 bytes)
C:\WINDOWS\_detmp.4 : jpvivx (0 bytes)
C:\WINDOWS\_detmp.4 : kclzxr (0 bytes)
C:\WINDOWS\_detmp.4 : kkiqqj (0 bytes)
C:\WINDOWS\_detmp.4 : kmorfq (0 bytes)
C:\WINDOWS\_detmp.4 : kwgsqp (0 bytes)
C:\WINDOWS\_detmp.4 : kwudlr (0 bytes)
C:\WINDOWS\_detmp.4 : kwvtuy (0 bytes)
C:\WINDOWS\_detmp.4 : kzlakb (0 bytes)
C:\WINDOWS\_detmp.4 : lpreb (0 bytes)
C:\WINDOWS\_detmp.4 : lqxdqw (0 bytes)
C:\WINDOWS\_detmp.4 : lyiumf (0 bytes)
C:\WINDOWS\_detmp.4 : mhxemm (0 bytes)
C:\WINDOWS\_detmp.4 : moiuao (0 bytes)
C:\WINDOWS\_detmp.4 : mtytdi (0 bytes)
C:\WINDOWS\_detmp.4 : naujlu (197761 bytes)
C:\WINDOWS\_detmp.4 : npintp (0 bytes)
C:\WINDOWS\_detmp.4 : obdgtr (0 bytes)
C:\WINDOWS\_detmp.4 : oespkx (0 bytes)
C:\WINDOWS\_detmp.4 : ogfjco (0 bytes)
C:\WINDOWS\_detmp.4 : pibbdc (0 bytes)
C:\WINDOWS\_detmp.4 : ppelqn (0 bytes)
C:\WINDOWS\_detmp.4 : ptrfuu (0 bytes)
C:\WINDOWS\_detmp.4 : qanbdz (0 bytes)
C:\WINDOWS\_detmp.4 : qcxnyr (0 bytes)
C:\WINDOWS\_detmp.4 : qdfipp (0 bytes)
C:\WINDOWS\_detmp.4 : qmsogi (0 bytes)
C:\WINDOWS\_detmp.4 : qscjhq (0 bytes)
C:\WINDOWS\_detmp.4 : rolvbm (0 bytes)
C:\WINDOWS\_detmp.4 : rqrequ (0 bytes)
C:\WINDOWS\_detmp.4 : rxxajf (0 bytes)
C:\WINDOWS\_detmp.4 : sbelrp (0 bytes)
C:\WINDOWS\_detmp.4 : sufbxq (0 bytes)
C:\WINDOWS\_detmp.4 : svcqrh (0 bytes)
C:\WINDOWS\_detmp.4 : tfmxkv (0 bytes)
C:\WINDOWS\_detmp.4 : tgfykc (0 bytes)
C:\WINDOWS\_detmp.4 : thiidu (0 bytes)
C:\WINDOWS\_detmp.4 : ttlogh (197761 bytes)
C:\WINDOWS\_detmp.4 : uagzek (0 bytes)
C:\WINDOWS\_detmp.4 : ukjyqg (0 bytes)
C:\WINDOWS\_detmp.4 : usupmp (0 bytes)
C:\WINDOWS\_detmp.4 : vgvuil (0 bytes)
C:\WINDOWS\_detmp.4 : vllamw (0 bytes)
C:\WINDOWS\_detmp.4 : vorkbl (0 bytes)
C:\WINDOWS\_detmp.4 : vtwkho (0 bytes)
C:\WINDOWS\_detmp.4 : vvostd (0 bytes)
C:\WINDOWS\_detmp.4 : vxxohe (0 bytes)
C:\WINDOWS\_detmp.4 : whtmxb (0 bytes)
C:\WINDOWS\_detmp.4 : wzowmt (197761 bytes)
C:\WINDOWS\_detmp.4 : xbeieg (0 bytes)
C:\WINDOWS\_detmp.4 : xcyurv (0 bytes)
C:\WINDOWS\_detmp.4 : xkjloe (0 bytes)
C:\WINDOWS\_detmp.4 : xrjemg (0 bytes)

#65 guestolo

guestolo

    Site Donator

  • Admin
  • PipPipPipPipPipPipPip
  • 16,247 posts

Posted 27 January 2006 - 08:49 AM

Can you run Killbox.exe
Click on Tools>>>Delete Temp files

Main screen of Killbox
In the full path of file to delete, copy and paste the whole line below in bold

C:\WINDOWS\_detmp.2

Select the options to "Delete File on Reboot" and "End Explorer Shell While Killing File"

Click the Red Circle with the White X
Confirm to Delete but don't reboot yet
Instead, do the same for this one

C:\WINDOWS\_detmp.4

This time allow to reboot the computer
If you get a Pending operations message
Close it and Restart the computer manually

Back in Windows
Run Hijackthis' ADS Spy again
This time, before running the scan with ads spy
Can you remove the check from "Quick Scan" please

Post the new log

Do you want to post your own logs from FRST?
Follow the instructions posted Click Here


#66 indigenous1

indigenous1

    Journeyman

  • Members
  • PipPip
  • 45 posts

Posted 28 January 2006 - 04:23 PM

ran killbox and deleted the 2 files and temp files. here is the ads log. ran ad aware again. virus still present.

C:\!KillBox\_detmp.2 : aagjuq (11736 bytes)
C:\!KillBox\_detmp.2 : aaqmhk (0 bytes)
C:\!KillBox\_detmp.2 : abclxy (0 bytes)
C:\!KillBox\_detmp.2 : abfcuh (0 bytes)
C:\!KillBox\_detmp.2 : accrny (0 bytes)
C:\!KillBox\_detmp.2 : acrarp (0 bytes)
C:\!KillBox\_detmp.2 : aeayez (11736 bytes)
C:\!KillBox\_detmp.2 : aefkgw (0 bytes)
C:\!KillBox\_detmp.2 : aeinmg (0 bytes)
C:\!KillBox\_detmp.2 : aeutkn (0 bytes)
C:\!KillBox\_detmp.2 : afczin (0 bytes)
C:\!KillBox\_detmp.2 : afrime (0 bytes)
C:\!KillBox\_detmp.2 : agaube (0 bytes)
C:\!KillBox\_detmp.2 : agauzv (0 bytes)
C:\!KillBox\_detmp.2 : ahjsin (0 bytes)
C:\!KillBox\_detmp.2 : ahuhuc (0 bytes)
C:\!KillBox\_detmp.2 : ahvjfw (0 bytes)
C:\!KillBox\_detmp.2 : ahxkbl (0 bytes)
C:\!KillBox\_detmp.2 : aizolz (11152 bytes)
C:\!KillBox\_detmp.2 : ajckmh (0 bytes)
C:\!KillBox\_detmp.2 : ajfvsr (0 bytes)
C:\!KillBox\_detmp.2 : ajqtqy (0 bytes)
C:\!KillBox\_detmp.2 : ajtwwi (0 bytes)
C:\!KillBox\_detmp.2 : akejwf (0 bytes)
C:\!KillBox\_detmp.2 : akpatw (0 bytes)
C:\!KillBox\_detmp.2 : amcszw (0 bytes)
C:\!KillBox\_detmp.2 : amfvfg (0 bytes)
C:\!KillBox\_detmp.2 : amrbcn (0 bytes)
C:\!KillBox\_detmp.2 : amuejx (0 bytes)
C:\!KillBox\_detmp.2 : anoqee (0 bytes)
C:\!KillBox\_detmp.2 : anouyu (11152 bytes)
C:\!KillBox\_detmp.2 : aokbck (4870 bytes)
C:\!KillBox\_detmp.2 : aomlvm (0 bytes)
C:\!KillBox\_detmp.2 : aoxcrv (0 bytes)
C:\!KillBox\_detmp.2 : apbnme (0 bytes)
C:\!KillBox\_detmp.2 : apgyrt (0 bytes)
C:\!KillBox\_detmp.2 : apjjxd (0 bytes)
C:\!KillBox\_detmp.2 : apuatm (0 bytes)
C:\!KillBox\_detmp.2 : apuszm (0 bytes)
C:\!KillBox\_detmp.2 : apzbct (0 bytes)
C:\!KillBox\_detmp.2 : arjrna (9237 bytes)
C:\!KillBox\_detmp.2 : arncqn (0 bytes)
C:\!KillBox\_detmp.2 : asrmdh (0 bytes)
C:\!KillBox\_detmp.2 : atehuh (11736 bytes)
C:\!KillBox\_detmp.2 : atqubp (0 bytes)
C:\!KillBox\_detmp.2 : aulnfd (11736 bytes)
C:\!KillBox\_detmp.2 : aunjvf (0 bytes)
C:\!KillBox\_detmp.2 : aurjcz (0 bytes)
C:\!KillBox\_detmp.2 : auxoly (9237 bytes)
C:\!KillBox\_detmp.2 : auzpan (0 bytes)
C:\!KillBox\_detmp.2 : avqlmc (11152 bytes)
C:\!KillBox\_detmp.2 : awiuoe (0 bytes)
C:\!KillBox\_detmp.2 : awxvqx (0 bytes)
C:\!KillBox\_detmp.2 : axcojl (0 bytes)
C:\!KillBox\_detmp.2 : axneiv (0 bytes)
C:\!KillBox\_detmp.2 : axrhzm (0 bytes)
C:\!KillBox\_detmp.2 : axrpnc (0 bytes)
C:\!KillBox\_detmp.2 : ayoric (11736 bytes)
C:\!KillBox\_detmp.2 : azqhoj (4870 bytes)
C:\!KillBox\_detmp.2 : azybmw (0 bytes)
C:\!KillBox\_detmp.2 : babdet (0 bytes)
C:\!KillBox\_detmp.2 : baovaa (0 bytes)
C:\!KillBox\_detmp.2 : bavxst (11736 bytes)
C:\!KillBox\_detmp.2 : bazmxj (0 bytes)
C:\!KillBox\_detmp.2 : bblsur (0 bytes)
C:\!KillBox\_detmp.2 : bbvxvz (11152 bytes)
C:\!KillBox\_detmp.2 : bcozvz (0 bytes)
C:\!KillBox\_detmp.2 : bczrri (0 bytes)
C:\!KillBox\_detmp.2 : bdgdnp (0 bytes)
C:\!KillBox\_detmp.2 : bdsujy (0 bytes)
C:\!KillBox\_detmp.2 : bdytsd (11152 bytes)
C:\!KillBox\_detmp.2 : begeru (0 bytes)
C:\!KillBox\_detmp.4 : aoauxa (0 bytes)
C:\!KillBox\_detmp.4 : bfmtqz (0 bytes)
C:\!KillBox\_detmp.4 : bznuba (0 bytes)
C:\!KillBox\_detmp.4 : dsdffe (0 bytes)
C:\!KillBox\_detmp.4 : dvwnrt (0 bytes)
C:\!KillBox\_detmp.4 : dwfinc (0 bytes)
C:\!KillBox\_detmp.4 : egpigq (0 bytes)
C:\!KillBox\_detmp.4 : erhjsg (0 bytes)
C:\!KillBox\_detmp.4 : ewmjqj (0 bytes)
C:\!KillBox\_detmp.4 : faluce (0 bytes)
C:\!KillBox\_detmp.4 : frrrkv (0 bytes)
C:\!KillBox\_detmp.4 : ftrzxl (0 bytes)
C:\!KillBox\_detmp.4 : gpomuh (0 bytes)
C:\!KillBox\_detmp.4 : hblgxn (0 bytes)
C:\!KillBox\_detmp.4 : igephh (0 bytes)
C:\!KillBox\_detmp.4 : ilnwkr (0 bytes)
C:\!KillBox\_detmp.4 : iyihoh (0 bytes)
C:\!KillBox\_detmp.4 : jgvphx (0 bytes)
C:\!KillBox\_detmp.4 : jhphtu (0 bytes)
C:\!KillBox\_detmp.4 : jjuwxc (0 bytes)
C:\!KillBox\_detmp.4 : jpvivx (0 bytes)
C:\!KillBox\_detmp.4 : kclzxr (0 bytes)
C:\!KillBox\_detmp.4 : kkiqqj (0 bytes)
C:\!KillBox\_detmp.4 : kmorfq (0 bytes)
C:\!KillBox\_detmp.4 : kwgsqp (0 bytes)
C:\!KillBox\_detmp.4 : kwudlr (0 bytes)
C:\!KillBox\_detmp.4 : kwvtuy (0 bytes)
C:\!KillBox\_detmp.4 : kzlakb (0 bytes)
C:\!KillBox\_detmp.4 : lpreb (0 bytes)
C:\!KillBox\_detmp.4 : lqxdqw (0 bytes)
C:\!KillBox\_detmp.4 : lyiumf (0 bytes)
C:\!KillBox\_detmp.4 : mhxemm (0 bytes)
C:\!KillBox\_detmp.4 : moiuao (0 bytes)
C:\!KillBox\_detmp.4 : mtytdi (0 bytes)
C:\!KillBox\_detmp.4 : naujlu (197761 bytes)
C:\!KillBox\_detmp.4 : npintp (0 bytes)
C:\!KillBox\_detmp.4 : obdgtr (0 bytes)
C:\!KillBox\_detmp.4 : oespkx (0 bytes)
C:\!KillBox\_detmp.4 : ogfjco (0 bytes)
C:\!KillBox\_detmp.4 : pibbdc (0 bytes)
C:\!KillBox\_detmp.4 : ppelqn (0 bytes)
C:\!KillBox\_detmp.4 : ptrfuu (0 bytes)
C:\!KillBox\_detmp.4 : qanbdz (0 bytes)
C:\!KillBox\_detmp.4 : qcxnyr (0 bytes)
C:\!KillBox\_detmp.4 : qdfipp (0 bytes)
C:\!KillBox\_detmp.4 : qmsogi (0 bytes)
C:\!KillBox\_detmp.4 : qscjhq (0 bytes)
C:\!KillBox\_detmp.4 : rolvbm (0 bytes)
C:\!KillBox\_detmp.4 : rqrequ (0 bytes)
C:\!KillBox\_detmp.4 : rxxajf (0 bytes)
C:\!KillBox\_detmp.4 : sbelrp (0 bytes)
C:\!KillBox\_detmp.4 : sufbxq (0 bytes)
C:\!KillBox\_detmp.4 : svcqrh (0 bytes)
C:\!KillBox\_detmp.4 : tfmxkv (0 bytes)
C:\!KillBox\_detmp.4 : tgfykc (0 bytes)
C:\!KillBox\_detmp.4 : thiidu (0 bytes)
C:\!KillBox\_detmp.4 : ttlogh (197761 bytes)
C:\!KillBox\_detmp.4 : uagzek (0 bytes)
C:\!KillBox\_detmp.4 : ukjyqg (0 bytes)
C:\!KillBox\_detmp.4 : usupmp (0 bytes)
C:\!KillBox\_detmp.4 : vgvuil (0 bytes)
C:\!KillBox\_detmp.4 : vllamw (0 bytes)
C:\!KillBox\_detmp.4 : vorkbl (0 bytes)
C:\!KillBox\_detmp.4 : vtwkho (0 bytes)
C:\!KillBox\_detmp.4 : vvostd (0 bytes)
C:\!KillBox\_detmp.4 : vxxohe (0 bytes)
C:\!KillBox\_detmp.4 : whtmxb (0 bytes)
C:\!KillBox\_detmp.4 : wzowmt (197761 bytes)
C:\!KillBox\_detmp.4 : xbeieg (0 bytes)
C:\!KillBox\_detmp.4 : xcyurv (0 bytes)
C:\!KillBox\_detmp.4 : xkjloe (0 bytes)
C:\!KillBox\_detmp.4 : xrjemg (0 bytes)
C:\WINDOWS\system32 : pbaa.dll (3584 bytes)
C:\WINDOWS\system32 : pbaa.dll (3584 bytes)
C:\WINDOWS\system32\ReinstallBackups\0015\DriverFiles\AGRSMMSG.exe : cgwbwj (3567 bytes)

#67 guestolo

guestolo

    Site Donator

  • Admin
  • PipPipPipPipPipPipPip
  • 16,247 posts

Posted 29 January 2006 - 11:53 AM

Sorry for the delay

Can you try the following please
From below, download and unzip to the desktop fix3.zip so you now have fix3.reg extracted

Check for updates with Ewido, don't run a scan yet
Check for updates with Ad-Aware, don't run a scan yet

Can you run Killbox.exe
Main screen of Killbox
In the full path of file to delete, copy and paste the whole line below in bold

C:\WINDOWS\system32\pbaa.dll

Select the options to "Delete File on Reboot"
"End Explorer Shell While Killing File"
"Unregister .dll before deleting"

Click the red circle white x button
Allow to delete on reboot
and then reboot now

Please boot into safe mode

In safe mode
Can you double click on fix.reg and allow to add/merge to the registry

Can you delete the folder created by Killbox
C:\!KillBox <-this folder

Run a complete scan with Ewido afterwards
Save the log when it's done

Can you open the Open the WinPFind folder you extracted to desktop earlier
Double click on WinPFind.exe
Click START SCAN
When it's done just close out

Reboot back to Normal mode

Can you run the scan with Ad-Aware again
When the scan is done Save A Report please

Come back here and post the report from ad-aware
Could you also post the report from Ewido's
Post the results of the WindPFind.txt located in the WinPFind folder
Can you also run ads-spy from hijackthis one more time and post the log

In addition: Can you run a search on this computer for
cgwbwj
Let me know if anything shows up please, if so, at what location

Do you want to post your own logs from FRST?
Follow the instructions posted Click Here


#68 indigenous1

indigenous1

    Journeyman

  • Members
  • PipPip
  • 45 posts

Posted 29 January 2006 - 05:11 PM

downloaded and unzipped fix3. ran killbox and deleted the file. also deletd killbox folder. ran ad aware and it didn't find the file this time so we must've got it. also, searched for cgwbwj and it wasn't found. when i ran hjt ads the scan screen was blank and it wouldn't save a logfile so i assume it came up with nothing.
here are the logs you requested.

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 4:27:37 PM, 1/29/2006
+ Report-Checksum: 562370BB

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{2C4E6D22-B71F-491F-AAD3-B6972A650D50} -> Spyware.IBIS : Error during cleaning
HKLM\SOFTWARE\Classes\CLSID\{310CC549-4541-46A9-940F-52B342A6E682} -> Spyware.IBIS : Error during cleaning
HKLM\SOFTWARE\Classes\CLSID\{6E21F428-5617-47F7-AED8-B2E1D8FBA711} -> Spyware.IBIS : Error during cleaning
HKLM\SOFTWARE\Classes\CLSID\{708BE496-E202-497B-BC31-9CF47E3BF8D6} -> Spyware.IBIS : Error during cleaning
HKLM\SOFTWARE\Classes\CLSID\{8B0FA130-0C3D-4CB1-AEB7-2C29DA5509A3} -> Spyware.IBIS : Error during cleaning
HKLM\SOFTWARE\Classes\CLSID\{BBF122A7-8A4D-45B5-9E00-0F68BC87C904} -> Spyware.IBIS : Error during cleaning
HKLM\SOFTWARE\Classes\CLSID\{CAE0999F-78C5-49DC-9F30-13142AAAABA4} -> Spyware.IBIS : Error during cleaning
HKLM\SOFTWARE\Classes\Interface\{365B9A54-E613-46E5-9DB1-4F91A9DE80BD} -> Spyware.IBIS : Error during cleaning
HKLM\SOFTWARE\Classes\Interface\{618BE527-B7F5-417C-BC51-98FDC2D6DE61} -> Spyware.IBIS : Error during cleaning
HKLM\SOFTWARE\Classes\Interface\{66C22569-F05C-4A70-A142-763B337E1002} -> Spyware.IBIS : Error during cleaning
HKLM\SOFTWARE\Classes\Interface\{7B8BD940-B1EF-460C-85A2-9ACAAF7F9303} -> Spyware.IBIS : Error during cleaning
HKLM\SOFTWARE\Classes\Interface\{99AA88D1-D9D3-410A-BE9E-044F94C183DA} -> Spyware.IBIS : Error during cleaning
HKLM\SOFTWARE\Classes\Interface\{C380566D-F343-42AB-987B-6B38A1A35747} -> Spyware.IBIS : Error during cleaning
HKLM\SOFTWARE\Classes\Interface\{D1951679-1D52-43FC-9585-0737143585F5} -> Spyware.IBIS : Error during cleaning
HKLM\SOFTWARE\Classes\Interface\{F273D4EA-2025-4410-8408-251A0CD46BE7} -> Spyware.IBIS : Error during cleaning
HKLM\SOFTWARE\Classes\TBPS.PluginConfig -> Spyware.WebSearch : Error during cleaning
HKLM\SOFTWARE\Classes\TBPS.PluginDown -> Spyware.WebSearch : Error during cleaning
HKLM\SOFTWARE\Classes\TBPS.PluginDownAdd -> Spyware.WebSearch : Error during cleaning
HKLM\SOFTWARE\Classes\TBPS.PluginEvents -> Spyware.WebSearch : Error during cleaning
HKLM\SOFTWARE\Classes\TBPS.PluginInst -> Spyware.WebSearch : Error during cleaning
HKLM\SOFTWARE\Classes\TBPS.PluginServer -> Spyware.WebSearch : Error during cleaning
HKLM\SOFTWARE\Classes\TBPS.ToolbarScript -> Spyware.WebSearch : Error during cleaning
HKLM\SOFTWARE\Classes\TypeLib\{B23B3ADD-84B1-414A-92B9-0CABE5A781F4} -> Spyware.IBIS : Error during cleaning
HKLM\SOFTWARE\Toolbar -> Spyware.WebSearch : Error during cleaning
HKLM\SOFTWARE\Toolbar\Files -> Spyware.WebSearch : Error during cleaning
HKLM\SOFTWARE\Toolbar\Install -> Spyware.WebSearch : Error during cleaning
HKLM\SOFTWARE\Toolbar\PlugIns -> Spyware.WebSearch : Error during cleaning
HKLM\SOFTWARE\Toolbar\Server -> Spyware.WebSearch : Error during cleaning
HKLM\SYSTEM\CurrentControlSet\Services\TBPSSvc -> Spyware.WebSearch : Error during cleaning
C:\counter.cab/counter.exe -> Dropper.Agent.az : Cleaned with backup


::Report End

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
UPX! 1/19/2006 12:56:46 AM 43391 C:\WINDOWS\browser.exe
UPX! 6/4/2005 11:52:48 AM 84642 C:\WINDOWS\n_ituoof.log

Checking %System% folder...
UPX! 12/20/2005 6:21:38 AM 481280 C:\WINDOWS\SYSTEM32\aswBoot.exe
PEC2 8/16/2003 1:40:04 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
PTech 11/4/2005 4:27:24 PM 534280 C:\WINDOWS\SYSTEM32\LegitCheckControl.DLL
PECompact2 1/4/2006 7:46:40 PM 2827616 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 1/4/2006 7:46:40 PM 2827616 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 8/4/2004 1:56:36 AM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
Umonitor 8/4/2004 1:56:44 AM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 8/15/2003 8:41:44 PM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu
Umonitor 8/15/2003 8:52:22 PM 631808 C:\WINDOWS\SYSTEM32\_003788_.tmp.dll
Umonitor 8/15/2003 8:52:22 PM 631808 C:\WINDOWS\SYSTEM32\_004055_.tmp.dll
Umonitor 8/15/2003 8:52:22 PM 631808 C:\WINDOWS\SYSTEM32\_004495_.tmp.dll

Checking %System%\Drivers folder and sub-folders...
PTech 8/3/2004 11:41:38 PM 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
1/29/2006 1:21:30 PM S 2048 C:\WINDOWS\bootstat.dat
12/7/2005 10:04:38 PM HS 0 C:\WINDOWS\usuot.log
12/31/2005 12:27:02 AM H 0 C:\WINDOWS\inf\oem37.inf
1/19/2006 11:27:50 AM RHS 286777 C:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_7.cab
11/30/2005 10:17:10 PM S 21633 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB905915.cat
12/1/2005 6:12:48 PM S 10925 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB910437.cat
1/2/2006 5:09:36 PM S 11223 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB912919.cat
1/29/2006 1:21:38 PM H 16384 C:\WINDOWS\system32\config\default.LOG
1/29/2006 1:21:40 PM H 1024 C:\WINDOWS\system32\config\SAM.LOG
1/29/2006 1:21:30 PM H 16384 C:\WINDOWS\system32\config\SECURITY.LOG
1/29/2006 1:41:34 PM H 81920 C:\WINDOWS\system32\config\software.LOG
1/29/2006 1:21:42 PM H 1122304 C:\WINDOWS\system32\config\system.LOG
1/19/2006 2:23:18 AM H 1024 C:\WINDOWS\system32\config\systemprofile\NTUSER.DAT.LOG
1/19/2006 11:27:50 AM S 558 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\E6024EAC88E6B6165D49FE3C95ADD735
1/19/2006 11:27:50 AM S 144 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\E6024EAC88E6B6165D49FE3C95ADD735
1/29/2006 1:20:34 PM H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 8/4/2004 1:56:58 AM 68608 C:\WINDOWS\SYSTEM32\access.cpl
Realtek Semiconductor Corp. 9/20/2004 3:20:44 PM 16121856 C:\WINDOWS\SYSTEM32\ALSNDMGR.CPL
Microsoft Corporation 8/4/2004 1:56:58 AM 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 135168 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 129536 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 68608 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems, Inc. 11/10/2005 1:03:50 PM 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 8/15/2003 7:49:58 PM 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 8/15/2003 7:57:52 PM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 8/15/2003 8:04:26 PM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 8/15/2003 7:49:58 PM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 8/15/2003 7:57:52 PM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 8/15/2003 8:04:26 PM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Intel Corporation 2/10/2004 7:53:24 PM 94208 C:\WINDOWS\SYSTEM32\ReinstallBackups\0001\DriverFiles\igfxcpl.cpl
Realtek Semiconductor Corp. 2/10/2004 2:19:32 AM 14224384 C:\WINDOWS\SYSTEM32\ReinstallBackups\0016\DriverFiles\ALSNDMGR.CPL

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
9/29/2004 2:27:32 PM 1903 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Compaq Connections.lnk
4/2/2004 1:55:28 PM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
1/24/2006 4:47:28 PM 1738 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
4/2/2004 5:46:32 AM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini
11/8/2004 5:12:00 PM H 0 C:\Documents and Settings\All Users\Application Data\hpothb07.dat
11/8/2004 5:12:00 PM H 0 C:\Documents and Settings\All Users\Application Data\hpothb07.tif

Checking files in %USERPROFILE%\Startup folder...
4/2/2004 1:55:28 PM HS 84 C:\Documents and Settings\kerry and colleen\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
4/2/2004 5:46:32 AM HS 62 C:\Documents and Settings\kerry and colleen\Application Data\desktop.ini
11/8/2004 5:09:54 PM H 0 C:\Documents and Settings\kerry and colleen\Application Data\hpothb07.dat
11/8/2004 5:09:54 PM H 0 C:\Documents and Settings\kerry and colleen\Application Data\hpothb07.tif
3/13/2005 6:45:54 PM 75771 C:\Documents and Settings\kerry and colleen\Application Data\tizinf.xml

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
SV1 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\avast
{472083B0-C522-11CF-8763-00608CC02F24} = C:\Program Files\Alwil Software\Avast4\ashShell.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\avast
{472083B0-C522-11CF-8763-00608CC02F24} = C:\Program Files\Alwil Software\Avast4\ashShell.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\SpySweeper
{7C9D5882-CB4A-4090-96C8-430BFE8B795B} = C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}
= C:\PROGRA~1\SPYBOT~1\SDHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
SSVHelper Class = C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}
Google Toolbar Helper = c:\program files\google\googletoolbar2.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
=
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} = &Google : c:\program files\google\googletoolbar2.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Console : C:\WINDOWS\System32\msjava.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{3369AF0D-62E9-4bda-8103-B4C75499B578}
ButtonText = AOL Toolbar :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Program Files\Messenger\msmsgs.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
=
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
{2318C2B1-4965-11D4-9B18-009027A5CD4F} = &Google : c:\program files\google\googletoolbar2.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
hpsysdrv c:\windows\system\hpsysdrv.exe
Recguard C:\WINDOWS\SMINST\RECGUARD.EXE
VTTimer VTTimer.exe
AGRSMMSG AGRSMMSG.exe
UpdateManager "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
EPSON Stylus CX5200 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P19 "EPSON Stylus CX5200" /O6 "USB001" /M "Stylus CX5200"
SunJavaUpdateSched C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
avast! C:\PROGRA~1\ALWILS~1\AVAST4\ashDisp.exe
CMPDPSRV C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CMPDPSRV.EXE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
MSMSGS "C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini 0
win.ini 0
bootini 0
services 0
startup 0


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui
= igfxsrvc.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier
= WRLogonNTF.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 1/29/2006 4:34:11 PM

Ad-Aware SE Build 1.06r1
Logfile Created on:Sunday, January 29, 2006 4:46:19 PM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R89 24.01.2006
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
MRU List(TAC index:0):15 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects


1-29-2006 4:46:19 PM - Scan started. (Full System Scan)

MRU List Object Recognized!
Location: : C:\Documents and Settings\kerry and colleen\Application Data\microsoft\office\recent
Description : list of recently opened documents using microsoft office


MRU List Object Recognized!
Location: : C:\Documents and Settings\kerry and colleen\recent
Description : list of recently opened documents


MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct3d


MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct X


MRU List Object Recognized!
Location: : software\microsoft\directdraw\mostrecentapplication
Description : most recent application to use microsoft directdraw


MRU List Object Recognized!
Location: : S-1-5-21-833561583-498507320-2471684171-1008\software\microsoft\internet explorer
Description : last download directory used in microsoft internet explorer


MRU List Object Recognized!
Location: : S-1-5-21-833561583-498507320-2471684171-1008\software\microsoft\internet explorer\typedurls
Description : list of recently entered addresses in microsoft internet explorer


MRU List Object Recognized!
Location: : S-1-5-21-833561583-498507320-2471684171-1008\software\microsoft\microsoft management console\recent file list
Description : list of recent snap-ins used in the microsoft management console


MRU List Object Recognized!
Location: : S-1-5-21-833561583-498507320-2471684171-1008\software\microsoft\office\10.0\common\open find\microsoft word\settings\open\file name mru
Description : list of recent documents opened by microsoft word


MRU List Object Recognized!
Location: : S-1-5-21-833561583-498507320-2471684171-1008\software\microsoft\office\10.0\common\open find\microsoft word\settings\save as\file name mru
Description : list of recent documents saved by microsoft word


MRU List Object Recognized!
Location: : S-1-5-21-833561583-498507320-2471684171-1008\software\microsoft\search assistant\acmru
Description : list of recent search terms used with the search assistant


MRU List Object Recognized!
Location: : S-1-5-21-833561583-498507320-2471684171-1008\software\microsoft\windows\currentversion\applets\wordpad\recent file list
Description : list of recent files opened using wordpad


MRU List Object Recognized!
Location: : S-1-5-21-833561583-498507320-2471684171-1008\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru
Description : list of recent programs opened


MRU List Object Recognized!
Location: : S-1-5-21-833561583-498507320-2471684171-1008\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru
Description : list of recently saved files, stored according to file extension


MRU List Object Recognized!
Location: : S-1-5-21-833561583-498507320-2471684171-1008\software\microsoft\windows\currentversion\explorer\recentdocs
Description : list of recent documents opened


Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 560
ThreadCreationTime : 1-29-2006 10:44:29 PM
BasePriority : Normal


#:2 [csrss.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 616
ThreadCreationTime : 1-29-2006 10:44:31 PM
BasePriority : Normal


#:3 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 640
ThreadCreationTime : 1-29-2006 10:44:31 PM
BasePriority : High


#:4 [services.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 684
ThreadCreationTime : 1-29-2006 10:44:32 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : services.exe

#:5 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 696
ThreadCreationTime : 1-29-2006 10:44:32 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe

#:6 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 852
ThreadCreationTime : 1-29-2006 10:44:32 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:7 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 928
ThreadCreationTime : 1-29-2006 10:44:32 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:8 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1020
ThreadCreationTime : 1-29-2006 10:44:32 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:9 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1080
ThreadCreationTime : 1-29-2006 10:44:33 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:10 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1172
ThreadCreationTime : 1-29-2006 10:44:33 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:11 [explorer.exe]
FilePath : C:\WINDOWS\
ProcessID : 1428
ThreadCreationTime : 1-29-2006 10:44:34 PM
BasePriority : Normal
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : EXPLORER.EXE

#:12 [spoolsv.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1528
ThreadCreationTime : 1-29-2006 10:44:34 PM
BasePriority : Normal
FileVersion : 5.1.2600.2696 (xpsp_sp2_gdr.050610-1519)
ProductVersion : 5.1.2600.2696
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : spoolsv.exe

#:13 [hpsysdrv.exe]
FilePath : C:\windows\system\
ProcessID : 1660
ThreadCreationTime : 1-29-2006 10:44:35 PM
BasePriority : Normal
FileVersion : 1, 7, 0, 0
ProductVersion : 1, 7, 0, 0
ProductName : hpsysdrv
CompanyName : Hewlett-Packard Company
FileDescription : hpsysdrv
InternalName : hpsysdrv
LegalCopyright : Copyright © 1998
OriginalFilename : hpsysdrv.exe

#:14 [vttimer.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1676
ThreadCreationTime : 1-29-2006 10:44:35 PM
BasePriority : Normal
FileVersion : 1.04.06-1020
ProductVersion : 1.04.06-1020
ProductName : S3 Graphics, Inc. Utilities
CompanyName : S3 Graphics, Inc.
InternalName : S3Timer
LegalCopyright : Copyright © 2001-2004 S3 Graphics, Inc.
LegalTrademarks : S3 is a registered trademark of S3 Incorporated

#:15 [agrsmmsg.exe]
FilePath : C:\WINDOWS\
ProcessID : 1684
ThreadCreationTime : 1-29-2006 10:44:35 PM
BasePriority : Normal
FileVersion : 2.1.41.10 2.1.41.10 06/29/2004 09:06:35
ProductVersion : 2.1.41.10 2.1.41.10 06/29/2004 09:06:35
ProductName : Agere SoftModem Messaging Applet
CompanyName : Agere Systems
FileDescription : SoftModem Messaging Applet
InternalName : smdmstat.exe
LegalCopyright : Copyright © Agere Systems 1998-2000
OriginalFilename : smdmstat.exe

#:16 [sgtray.exe]
FilePath : C:\Program Files\Common Files\Sonic\Update Manager\
ProcessID : 1692
ThreadCreationTime : 1-29-2006 10:44:35 PM
BasePriority : Normal
FileVersion : 1.01.32a
CompanyName : Sonic Solutions
FileDescription : Sonic Update Manager
LegalCopyright : Copyright © 2002 Sonic Solutions

#:17 [e_s10ic2.exe]
FilePath : C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\
ProcessID : 1700
ThreadCreationTime : 1-29-2006 10:44:35 PM
BasePriority : Normal
FileVersion : 3.05
ProductVersion : 3.05
ProductName : EPSON Status Monitor 3
CompanyName : SEIKO EPSON CORPORATION
FileDescription : EPSON Status Monitor 3
InternalName : E_S10IC2
LegalCopyright : Copyright © SEIKO EPSON CORP. 2002
OriginalFilename : E_S10IC2.EXE

#:18 [jusched.exe]
FilePath : C:\Program Files\Java\jre1.5.0_06\bin\
ProcessID : 1708
ThreadCreationTime : 1-29-2006 10:44:35 PM
BasePriority : Normal


#:19 [ashdisp.exe]
FilePath : C:\PROGRA~1\ALWILS~1\AVAST4\
ProcessID : 1720
ThreadCreationTime : 1-29-2006 10:44:35 PM
BasePriority : Normal
FileVersion : 4, 6, 739, 0
ProductVersion : 4, 6, 0, 0
ProductName : avast! Antivirus
FileDescription : avast! service GUI component
InternalName : aswDisp
LegalCopyright : Copyright © 2005 ALWIL Software
OriginalFilename : aswDisp.exe

#:20 [cmpdpsrv.exe]
FilePath : C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\
ProcessID : 1732
ThreadCreationTime : 1-29-2006 10:44:35 PM
BasePriority : Normal
FileVersion : 1.0.0.137
ProductVersion : 1.0.0.137
ProductName : Printer Driver Plus
CompanyName : Conexant Systems, Inc.
FileDescription : PDP RPC Server
InternalName : PDPserver
LegalCopyright : Copyright© Conexant Systems, Inc. 1996-2001
OriginalFilename : PDPserve.dll

#:21 [msmsgs.exe]
FilePath : C:\Program Files\Messenger\
ProcessID : 1756
ThreadCreationTime : 1-29-2006 10:44:35 PM
BasePriority : Normal
FileVersion : 4.7.3001
ProductVersion : Version 4.7.3001
ProductName : Messenger
CompanyName : Microsoft Corporation
FileDescription : Windows Messenger
InternalName : msmsgs
LegalCopyright : Copyright © Microsoft Corporation 2004
LegalTrademarks : Microsoft® is a registered trademark of Microsoft Corporation in the U.S. and/or other countries.
OriginalFilename : msmsgs.exe

#:22 [backweb-1940576.exe]
FilePath : C:\Program Files\Compaq Connections\1940576\Program\
ProcessID : 1808
ThreadCreationTime : 1-29-2006 10:44:35 PM
BasePriority : Normal


#:23 [aswupdsv.exe]
FilePath : C:\Program Files\Alwil Software\Avast4\
ProcessID : 424
ThreadCreationTime : 1-29-2006 10:44:42 PM
BasePriority : Normal


#:24 [ashserv.exe]
FilePath : C:\Program Files\Alwil Software\Avast4\
ProcessID : 436
ThreadCreationTime : 1-29-2006 10:44:42 PM
BasePriority : High
FileVersion : 4, 6, 739, 0
ProductVersion : 4, 6, 0, 0
ProductName : avast! Antivirus
FileDescription : avast! antivirus service
InternalName : aswServ
LegalCopyright : Copyright © 2005 ALWIL Software
OriginalFilename : aswServ.exe

#:25 [eebsvc.exe]
FilePath : C:\Program Files\Common Files\EPSON\EBAPI\
ProcessID : 468
ThreadCreationTime : 1-29-2006 10:44:42 PM
BasePriority : Normal


#:26 [sagent2.exe]
FilePath : C:\Program Files\Common Files\EPSON\EBAPI\
ProcessID : 484
ThreadCreationTime : 1-29-2006 10:44:42 PM
BasePriority : Normal
FileVersion : 2, 3, 0, 0
ProductVersion : 1, 0, 0, 0
ProductName : EPSON Bidirectional Printer
CompanyName : SEIKO EPSON CORPORATION
FileDescription : EPSON Printer Status Agent
InternalName : SAgent2
LegalCopyright : Copyright © SEIKO EPSON CORP. 2000-2001
OriginalFilename : SAgent2.exe

#:27 [ewidoctrl.exe]
FilePath : C:\Program Files\ewido anti-malware\
ProcessID : 516
ThreadCreationTime : 1-29-2006 10:44:43 PM
BasePriority : Normal
FileVersion : 3, 0, 0, 1
ProductVersion : 3, 0, 0, 1
ProductName : ewido control
CompanyName : ewido networks
FileDescription : ewido control
InternalName : ewido control
LegalCopyright : Copyright © 2004
OriginalFilename : ewidoctrl.exe

#:28 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1148
ThreadCreationTime : 1-29-2006 10:44:46 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:29 [wrsssdk.exe]
FilePath : C:\Program Files\Webroot\Spy Sweeper\
ProcessID : 1668
ThreadCreationTime : 1-29-2006 10:44:47 PM
BasePriority : Normal
FileVersion : 2,0,9,509
ProductVersion : 2, 0
ProductName : Spy Sweeper SDK
CompanyName : Webroot Software, Inc.
FileDescription : Spy Sweeper SDK
LegalCopyright : Copyright © 2002 - 2005, All Rights Reserved.
LegalTrademarks : Spy Sweeper is a trademark of Webroot Software, Inc.
OriginalFilename : SpySweeper.exe

#:30 [wdfmgr.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 2056
ThreadCreationTime : 1-29-2006 10:44:53 PM
BasePriority : Normal
FileVersion : 5.2.3790.1230 built by: DNSRV(bld4act)
ProductVersion : 5.2.3790.1230
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows User Mode Driver Manager
InternalName : WdfMgr
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : WdfMgr.exe

#:31 [ashmaisv.exe]
FilePath : C:\Program Files\Alwil Software\Avast4\
ProcessID : 2332
ThreadCreationTime : 1-29-2006 10:44:54 PM
BasePriority : Normal


#:32 [ashwebsv.exe]
FilePath : C:\Program Files\Alwil Software\Avast4\
ProcessID : 2380
ThreadCreationTime : 1-29-2006 10:44:55 PM
BasePriority : Normal


#:33 [alg.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 2676
ThreadCreationTime : 1-29-2006 10:44:55 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Application Layer Gateway Service
InternalName : ALG.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : ALG.exe

#:34 [notepad.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 3160
ThreadCreationTime : 1-29-2006 10:45:05 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Notepad
InternalName : Notepad
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : NOTEPAD.EXE

#:35 [iexplore.exe]
FilePath : C:\Program Files\Internet Explorer\
ProcessID : 3196
ThreadCreationTime : 1-29-2006 10:45:17 PM
BasePriority : Normal
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Internet Explorer
InternalName : iexplore
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : IEXPLORE.EXE

#:36 [wuauclt.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 3416
ThreadCreationTime : 1-29-2006 10:45:39 PM
BasePriority : Normal
FileVersion : 5.8.0.2469 built by: lab01_n(wmbla)
ProductVersion : 5.8.0.2469
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Automatic Updates
InternalName : wuauclt.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : wuauclt.exe

#:37 [wmiprvse.exe]
FilePath : C:\WINDOWS\System32\wbem\
ProcessID : 3520
ThreadCreationTime : 1-29-2006 10:46:01 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : WMI
InternalName : Wmiprvse.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : Wmiprvse.exe

#:38 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-Aware SE Personal\
ProcessID : 3588
ThreadCreationTime : 1-29-2006 10:46:12 PM
BasePriority : Normal
FileVersion : 6.2.0.236
ProductVersion : SE 106
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft AB Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 15


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 15


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 15


Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 15



Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 15


Deep scanning and examining files (D:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for D:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 15


Scanning Hosts file......
Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
1 entries scanned.
New critical objects:0
Objects found so far: 15




Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 15

5:04:25 PM Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:18:05.281
Objects scanned:168188
Objects identified:0
Objects ignored:0
New critical objects:0

#69 guestolo

guestolo

    Site Donator

  • Admin
  • PipPipPipPipPipPipPip
  • 16,247 posts

Posted 29 January 2006 - 06:27 PM

Can you move this file too that backup folder you made awhile ago
C:\WINDOWS\n_ituoof.log <-this file

I also don't know what this one is related too
Can you right click on it and left click properties
Do you know what it's related too?
C:\WINDOWS\usuot.log
If not move it too the Backup folder

Create a new system restore point so we have something to fall back on if something goes wrong

I'm curious if those registry entries found by Ewido's actually exist
Can you do the following please, one last download
Download and install Registrar Lite
http://www.resplendence.com/reglite

Save the rest of these instructions please
Reboot into safe mode
In safe mode, go to START>>RUN>>Type in the following
sc stop TBPSSvc


Open Registrar Lite shortcut
Copy and paste the following line in bold into the top address bar of Registrar Lite and then hit GO

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TBPSSvc

Reglite should now of Highlighted the key and be purple in color
right click on TBPSSvc and select 'Delete'.

If you can't delete it, select 'Security' >> 'Edit Permissions' from the pull down menu at the top (with the key still highlighted). Make sure 'Read' and 'Full Control' are selected for your account(in the top pane), click 'Ok' and try to delete it again.
If they are selected and it won't delete

Again in Edit Permissions>>Click the Advanced button
Check the following if unchecked
"Inherit from parent the permission entries that apply to child objects."
OK it and OK again
Then try and delete the key

Do the same for these ones, some may be expanded entries of another key
But I'll include everthing as it's easier that way
If your unsure about an entry don't remove it

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2C4E6D22-B71F-491F-AAD3-B6972A650D50}

Take note: When you enter that entry:
If the CLSID >>>>{2C4E6D22-B71F-491F-AAD3-B6972A650D50} is not found
RegLite will probably highlight HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID <-this entry
DO NOT try and delete that entry, your after {2C4E6D22-B71F-491F-AAD3-B6972A650D50}

Carry on with these ones
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{310CC549-4541-46A9-940F-52B342A6E682}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6E21F428-5617-47F7-AED8-B2E1D8FBA711}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{708BE496-E202-497B-BC31-9CF47E3BF8D6}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8B0FA130-0C3D-4CB1-AEB7-2C29DA5509A3}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BBF122A7-8A4D-45B5-9E00-0F68BC87C904}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAE0999F-78C5-49DC-9F30-13142AAAABA4}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{365B9A54-E613-46E5-9DB1-4F91A9DE80BD}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{618BE527-B7F5-417C-BC51-98FDC2D6DE61}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{66C22569-F05C-4A70-A142-763B337E1002}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{7B8BD940-B1EF-460C-85A2-9ACAAF7F9303}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{99AA88D1-D9D3-410A-BE9E-044F94C183DA}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{C380566D-F343-42AB-987B-6B38A1A35747}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D1951679-1D52-43FC-9585-0737143585F5}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F273D4EA-2025-4410-8408-251A0CD46BE7}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{B23B3ADD-84B1-414A-92B9-0CABE5A781F4}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TBPS.PluginConfig

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TBPS.PluginDow

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TBPS.PluginDownAdd

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TBPS.PluginEvents

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TBPS.PluginInst

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TBPS.PluginServer

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TBPS.ToolbarScript

HKEY_LOCAL_MACHINE\SOFTWARE\Toolbar\Files

HKEY_LOCAL_MACHINE\SOFTWARE\Toolbar\Install

HKEY_LOCAL_MACHINE\SOFTWARE\Toolbar\PlugIns

HKEY_LOCAL_MACHINE\SOFTWARE\Toolbar


That should do it, let me know how everythings running after that

Do you want to post your own logs from FRST?
Follow the instructions posted Click Here


#70 indigenous1

indigenous1

    Journeyman

  • Members
  • PipPip
  • 45 posts

Posted 30 January 2006 - 05:45 AM

when i tried to move the file C:\WINDOWS\usuot.log to the backup folder there was a prompt asking if i wanted to move this windows system file. i declined b/c the file sounds important (i didn't get that prompt with any other files). it's a good thing that you had me create another system restore point b/c i accidently deleted a couple registries that i shouldn't have and the computer started acting up and wouldn't run windows explorer. so i had to go back to that point and start over. i deleted all of the registries on the list. i ran ad aware 1 more time and it came up with nothing. ewido also found nothing. one thing though, when i went back to my restore point i don't remember if i re did this task: "In safe mode, go to START>>RUN>>Type in the following sc stop TBPSSvc" should i do it again just in case?

#71 guestolo

guestolo

    Site Donator

  • Admin
  • PipPipPipPipPipPipPip
  • 16,247 posts

Posted 30 January 2006 - 07:34 PM

START>>RUN>>Type in the following sc stop TBPSSvc" should i do it again just in case?


No, don't worry about it
Did you right click on this file and left click properties?
Did you find what it's related too?
C:\WINDOWS\usuot.log <-file

Just to be on the safe side
Can you go to
Jotti's Online Malware scan

Use the browse button and navigate to this file on your hard disk
C:\WINDOWS\usuot.log

Right click on the file and choose Select
Then use the Submit button
Let it finish scanning
Could you post back the results of the scan back here please

I take it everything is running fine now?

Do you want to post your own logs from FRST?
Follow the instructions posted Click Here


#72 indigenous1

indigenous1

    Journeyman

  • Members
  • PipPip
  • 45 posts

Posted 30 January 2006 - 10:59 PM

when i submit C:\WINDOWS\usuot.log to jotti's i get this reply in a blank white screen "The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file" i do not know what it is related to. when i go to properties is says that it is a text document that opens with notepad. it is 4.0 kb and was created on dec 7, 2005. but everything seems to be running fine.

#73 guestolo

guestolo

    Site Donator

  • Admin
  • PipPipPipPipPipPipPip
  • 16,247 posts

Posted 31 January 2006 - 05:24 PM

I'm not sure what it's related to either
Can you leave the file where it is and right click on it and rename it too
usuot.lo_

See if it has any effect on any programs

Do you want to post your own logs from FRST?
Follow the instructions posted Click Here


#74 indigenous1

indigenous1

    Journeyman

  • Members
  • PipPip
  • 45 posts

Posted 01 February 2006 - 12:32 AM

I changed the name of the file and all other programs seem to be working fine.

#75 guestolo

guestolo

    Site Donator

  • Admin
  • PipPipPipPipPipPipPip
  • 16,247 posts

Posted 01 February 2006 - 12:41 AM

Good work, and thanks for hanging in there :)

If everything's running good still
I would clear your system restore points again
Remember to reenable it after you have rebooted

You should have SpywareBlaster 3.5.1 installed
Make sure to check for updates every couple of weeks

Same goes with Spybot 1.4
Immunize after every update

*Keep up to date on Windows updates
It's very important to keep up to date on the latest High Priority updates
Set dad to Automatic updates if he wants :)

*Make sure your Anti-Virus software is always kept up to date and actively running in the background

*Check for updates with your anti-spyware programs and run a scan on a regular basis
This includes Ad-aware and Spybot

You may also choose to hold onto Ewido and CleanUp!
Ewido is a Limited version after a couple weeks
It's still a very good scanner to update and run once a month

Stay safe :D

Do you want to post your own logs from FRST?
Follow the instructions posted Click Here


#76 indigenous1

indigenous1

    Journeyman

  • Members
  • PipPip
  • 45 posts

Posted 01 February 2006 - 01:03 AM

hey, i just wanna say thanks for being patient with me though this ordeal. i learned quite a lot thoughout this month long journey. i appreciate it. you actually will be hearing from me again very soon b/c in trying to download a program to fix this computer i got a virus on my own computer. i posted the thread over a month ago but i will find it and reply. i've just been busy putting all of my time and effort into this computer. trust me, my computer won't be nearly as difficult as this one was.

#77 guestolo

guestolo

    Site Donator

  • Admin
  • PipPipPipPipPipPipPip
  • 16,247 posts

Posted 01 February 2006 - 01:06 AM

Sounds good, I'll lock this topic as it appears resolved
If you can't find your other post, start a new one with a fresh hijackthis log

Take care :)

Do you want to post your own logs from FRST?
Follow the instructions posted Click Here